Black Energy18 - Russian botnet package analysis

© 2008 Security-Assessment.com

Black Energy 1.8Russian web-based botnet package analysis

Presented By Roberto Suggi Liverani


Agenda

Background

What’s In The Package?

Building The Backdoor

Infection Analysis

Command and Control System Architecture

Botnet Communication

Attacks Analysis

Defensive Measures

Conclusions

Demo


Background

A little bit of background…

Web-based distributed denial of service (DDoS) botnet

Probably developed by one or more Russian hackers

Version 1.8 seems to be the most recent

Has been hosted in Malaysia and Russia and actively used against Russian targets

Communication is entirely based on HTTP

The command and control (C&C) system is based on PHP language and Mysql database

Version 1.7 was sold for 40 USD in Russian hacker forums

Version 1.8 has been downloaded from download.xakepok.org after visiting affiliate links


What’s in the package?

The package format…

The package comes in a rar archive (blackenergy18.rar).

Package listings

Bot files:

builder.exe builds two versions of the same backdoor (encrypted and unencrypted)

crypt.exe is required by builder.exe to encrypt the backdoor

cadt.dll is required by crypt.exe to encrypt the backdoor


What’s in the package?

The C&C files:

db.sql is the Mysql database structure of the C&C system

www directory contains all PHP scripts used by the C&C

index.php is the main C&C web interface page.

stat.php – core HTTP communication engine of the botnet. It receives and send responses.

flags folder contains flag icons used to identify bot country

config.php is the C&C interface config file.

common.php – common php functions used by the C&C components

cmdhelp.html – command listings and help syntax in Russian language

Net folder contains GeoIP.php application used to associate bot IP to a country


Building the backdoor

Builder.exe creates two backdoor executables.

Some interesting options:


Building the backdoor

Output results…

The _bot.exe is created within the same folder where builder.exe is located.

_bot.exe is the decrypted backdoor version.

crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”).

Both executables are fully functional.

crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering.

The backdoor decrypted file size is 23040 bytes

The backdoor encrypted/packed file size is 12871 bytes


Infection Analysis

Infection scenario…

Black Energy backdoor does not exploit any vulnerability in the OS system.

The victim needs to execute the malware in order to be infected.

The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites.


Infection Analysis - Methodology

Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology

Dynamic and Static analysis:

To properly analyse the infection, the backdoor need to be tested in a controlled environment

In this way, it is possible to “detect” changes that affect the controlled environment

Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity

Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor

It is recommended to use both methods when analysing any malware.

Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa.


Infection Analysis – Dynamic/Static Analysis

Dynamic Analysis Overview

Scope: Analysis of local system interaction using multiple tools

Any changes to the following components must be detected:

Windows Register

File System

Memory/Processes

Network Traffic

Static Analysis Overview

Scope: Full deep analysis of the disassembly code of the backdoor executable

A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used.


Dynamic Analysis – Tools

The environment and the monitor tools in the dynamic analysis:

VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed

VMware image of Ubuntu running LAMP environment to host the C&C system

Regmon.exe – tool used to monitor any changes on the Windows Register

Filemon.exe – any file system activities is recorded by this tool

Diskmon.exe – any disk activity is recorded by this tool

SysInternals Process Explorer – like windows task manager tool + additional features

Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS

Wireshark and tcpdump – network analyser and sniffer


Dynamic Analysis – Windows Register

Tool: regmon.exe

Two Windows Register keys have been created and one modified.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]


Dynamic Analysis – File System

Tools: Rapier with WinAudit and Chksum, filemon.exe

A new file called mssrv32.exe is created in C:\Windows\System32

File size is 12780 bytes.

Other files added with the infection:

4c380647cca89aacd29ed5f7430b2151 _BOT.EXE-160375AD.pf

Filemon.exe is used to list all files activities in the system.


Dynamic Analysis – File System

The following file system activities are related to the creation of mssrv32.exe:

Note that the mssrv32.exe is the same size of _bot.exe .


Dynamic Analysis – Network/Processes

Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit

Tcpview output:

A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. 192.168.0.34 is the C&C master server in this instance.

The properties of the process shows a connection between the botnet and svchost.exe.



Rapier with Network Netstat result: (192.168.1.1 is the C&C server)

Rapier with Network module result:

Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated.

These results are confirmed by the GDI Procs scan analysis as well:



WinAudit Result:

Note that there is no information associated to Process Description and Process Manufacturer


Static Analysis – Reversing malware

The environment and the monitor tools in the static analysis:

VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed

VMware image of Ubuntu running LAMP environment to host the C&C system

Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files

IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file

PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files



Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed

Let’s dump basic headers and imports/export entries in the malware executable.

Export table only contains a reference to start function which is the OEP (Original Execution Point).

Imports are mainly related to the following APIs and DLLs:



Some interesting functions imported:



Backdoor Installation

When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself.

This is done by calling GetModuleFileName to obtain the primary executable’s file name

If nothing is found, it copies itself to C:\WINDOWS\SYSTEM32\mssrv32.exe



The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance.

The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice.



During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot:

The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS):



After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe.



Botnet communication

Then it starts to communicate with the server through POST request.



Crypted__bot.exe – some words about to defeat the protector used by Black Energy

Some AV identify the packer as “Stalin” but no information is available about this packer.

Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 .

At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory.

The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes.

The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code.



Finding the OEP of the backdoor decrypted…

Crypted _bot.exe is stored Crypted _bot.exe is stored at 13112000at 13112000

Crypted_.131111b9 decrypts Crypted_.131111b9 decrypts _bot.exe to 00320000_bot.exe to 00320000

Note that the Note that the different size:different size:

6000 and 30006000 and 3000


C&C System Architecture

Command and Control System architecture requires:

Mysql Server

Any web server supporting PHP and PHP-Mysql

The C&C is ideal for vulnerable LAMP environments

Mysql Database Overview – the database is composed by three tables:

Files – id, url, dnum, dtotal, country

Opt – name, value

Stat – id, build_id, files, ip, last, country, country_full

Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works.

It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files).



The Opt Table store the commands list: attack_mode – a numerical value for the type of attack (default, drop

by socket, drop by timeout)

cmd – the command to send to the bot

http_freq – how many requests per second to send in HTTP GET flood mode

http_threads – how many program threads to create for the HTTP flood

icmp_freq – how many ICMP packets to send in an ICMP attack mode

icmp_size – how large of ICMP packets to send in ICMP attack mode

max_sessions – for ‘drop by timeout’

spoof_ip – Boolean, used in raw packet flooding attacks

syn_freq – how frequently to send packets during a TCP SYN flood

tcpudp_freq – how often to send TCP or UDP traffic

tcp_size – how large the TCP packets should be

udp_size – how large the UDP packets should be

ufreq – how long (in minutes) to wait before checking for another command



This is the opt table after a flood http localhost command sent to the bot:



The Stat table contains all the statistics of the botnet:

ID is built from the system’s SMB hostname and the System Volume ID from the C:\ drive of the infected machine

build_id is the string value set by builder.exe (can be changed at the building time)

Files is a reference to the files table.

Last is a time value in the format of time() and measures the bot heartbeat

Country and country_full are used by the web interface to display the relative country flag of the bot



C&C system web interface (index.php)

From here, commands can be sent and stat can be accessed.



Sending the commands to the zombie…

The command entered through the web interface (index.php) is saved into the database (table opt).

The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server.



stat.php is responsible to retrieve commands from the database and then output them in base64 format.



Commands Available:

Refresh Rate – change the refresh rate

Flood – Network DDoS attacks

icmp - a basic ICMP ping flood

syn - a basic TCP SYN flood

udp - a basic UDP traffic flood

http - an HTTP GET request flooder.

data - a basic binary packet flooder

dns – a DNS request flooder

Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands.

Stop – stop any attack currently running.

Die – this deletes the backdoor on the infected machine



Commands Syntax:

flood http 192.168.1.1 index.htm

flood icmp 192.168.2.2 index.php

flood syn 192.168.3.2

Multiple Commands can be specified using semicolon:

dns; icmp; http; syn; 192.168.1.1#15#xHOST

Normally, DDoS options are passed in the command syntax as well:

'10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’

In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id.


Botnet Communication

Botnet communication from a network perspective:

Tools: tcpdump and wireshark.

HTTP POST request from bot:

Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot.

HTTP Response from Master Server:

Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1#


DDoS Attacks Overview

DDoS Attacks with flood command overview

Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random.

Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily)


DDoS Attacks Overview

Flood HTTP – this involves GET requests to the specified URL on the command syntax.

Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet.


Defenses and Countermeasures

AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead.

The service that has been used is provided by virustotal.com

_bot.exe results available here: http://www.virustotal.com/analisis/c88ba95b30d2fe50bc612ab73b922fc2

Crypted_bot.exe results available here:

http://www.virustotal.com/analisis/12cc7b4378f7ce90963232423590068b



_bot.exe results: Detected by 23/32 AVs (71.88%)



Crypted__bot.exe results: Detected by 17/32 AV (53.12%)



Backdoor Variants:

Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server.

First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables

Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’)

Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address.


Conclusions

Black energy botnet package is not difficult to obtain

C&C system is trivial to install and can be easily installed in any compromised LAMP environment

C&C system is easy to use and manage (script-kiddies style)

Some AV still do not detect the Black Energy backdoor although it is there since mid 2007.

Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon.

Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature.

It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features.


Demo

Time for a Demo!

Demo in VMware environments

Only 2 hosts:

C&C master server – Ubuntu 6.10 + LAMP – 192.168.1.1

Bot Machine: WinXP with SP2 – 192.168.1.2

Questions?


http://[email protected]


References

Websites

Reversing Engineering Malware - http://www.zeltser.com/reverse-malware-paper/

The Science of Malware Analysis - http://www.osix.net/modules/article/?id=760

BlackEnergy DDoS Bot - http://www.castlecops.com/p1020284-Black_Energy_DDoS_bot.html

BlackEnergy DDoS Bot Download File: http://download.xakepok.org/4108126?ints_code=tGdsXA%2FvQR5Rmvk%2BzFVXFHKaGn%2Ffu2aI

Fake gamings sites spawns dangerous Trojan - http://sunbeltblog.blogspot.com/2007/11/fake-gaming-site-spawns-dangerous.html

BlackEnergy DDoS Bot – HTTP based - http://www.offensivecomputing.net/?q=node/557


References

Books/WhitePapers

Black Energy DDoS Bot Analysis - http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

Wiley – Reversing – The Secrets of Reverse Engineering - 2005

Black Energy18 - Russian botnet package analysis

Technology

Transcript of Black Energy18 - Russian botnet package analysis